Policy | Security | Investigation

September 24, 2008

Electronic Mail Erased

Spoliation in Electronic Records Law | Sanctions

In records management one school of thought says employees should be expected to examine each of their e-mail, instant and text messages and make records retention decisions. Under this school, the decisions are 1. do we keep this message or allow our IT system to destroy it quickly, and 2. if we do keep this message, do we keep it in retention category A, category B or category C. I'll call this the make-a-decision school of thought. See the good discussion.

Generally speaking I am skeptical of the make-a-decision school of thought. The reason is that – in this Age of Information – few employees have the time, talent or disposition to make good decisions. The growth in the number of digital messages touching employees is accelerating. The growth will continue to accelerate.

Cases show the legal system punishing enterprises for destroying records too early under the make-a-decision approach.

Arthur Andersen's formal records policy expected its professional auditors to make lots of records decisions (keep this record, destroy that record). But AA's auditors were too busy doing their day jobs, so they procrastinated about making decisions on records related to their biggest client, Enron. In other words, the digital age had swamped Andersen's employees with too many e-mails, faxes and papers. Therefore, they accumulated a backlog of records . . . records that demanded decisions, boring tedious decisions that employees hate. (Keep it or destroy it? Keep it or destroy it? Keep it or destroy it). Then, when crisis rose at Enron, AA's employees deliberated about what to do with this backlog. They deliberated about how to interpret their record retention policy in this unexpected situation, and then (with the involvement of qualified counsel) they made decisions that later looked bad. Andersen's employees destroyed records in the good-faith belief that they were following their policy consistent with advice of counsel. The legal system proceeded to destroy Andersen.

Another case: In Broccoli v. Echostar Communications Corp., 229 F.R.D. 506 (D.Md. 2005), employee Broccoli complained to management that a superior was harassing him sexually. Multiple managers discussed this complaint by e-mail. Later, after Broccoli sued, the employer could not produce records of the relevant e-mails exchanged among managers. The employer said its usual policy was to destroy (erase) e-mail in 21 days, and it had just followed its policy. The court sanctioned the employer for spoliating e-mail records. The court said it may be okay for a company to destroy e-mail quickly . . . so long as the company suspends destruction with respect to e-mails related to potential litigation like that brought by Mr. Broccoli. In effect the court said the employer should have applied an early litigation hold on e-mails related to Broccoli's complaint.

So what would the make-a-decision school of thought say about the Broccoli case? I interpret it to say that managers must be trained to recognize e-mails that pertain to potential litigation and then to save those e-mails specially (i.e., put them in category X). To me, that approach to e-mail retention does not normally work. Managers are ill-qualified to make such decisions. They don't have time to make those decisions with respect to the ever-growing deluge of e-messages (including cell phone texts, iPhone mail, telephone Twitters, instant message (IM) chat, BlackBerry calendar alerts, voicemails converted to text and more), coming at them.

I therefore offer a hypothesis: Enterprises will fare better in the Age of Information if they tilt toward being very generous in their retention of electronic records . . . and tilt away from expecting individual employees to make one-by-one, keep-it-or-destroy-it records retention decisions.

This is a big topic, and it keeps me humble. I do not know everything. This post does not cover all the issues. I aspire to explore more of the issues, and I welcome input!

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Wow... where to start?

Okay, disagree COMPLETELY on what happened in the Enron/AA case, especially when it comes to what AA did. You're right that AA had an RM Policy, but the problem isn't their application of the policy, it's WHEN they chose to apply it. Had they followed the policy and destroyed the supporting audit records 5 years after completion of the audits, they would have been destroyed in compliance with the retention schedule and policy, IN THE NORMAL COURSE OF BUSINESS.

Instead, once AA got wind of a legal action, Ms. Temple (who wasn't the hero in this case, but actually the villain) sent out a memo urging AA's managers to "follow the retention policy" and ensure information was appropriately destroyed. Now, it COULD be argued (but I doubt successfully) that she was misinterpreted and that managers should have known that she meant to follow policy in the course of business, but if others HAD understood this, some of the changes to the FRCP wouldn't have been enacted following this landmark case.

There was no 'deliberation"; AA contacted a recycling company and a shredding company and sent out TONS of paper (literally- as I recall it exceeded 5500 pounds)to be destroyed en masse. You're right this backlog of records "demanded decisions", but those decisions should have been made years beforehand. Someone had made a conscious decision to continue retaining the paper far beyond it's required retention and pay for costly office space to house it, and when that happened, they should have been aware that it wasn't regularly accessed, what it represented, how old it was, and that based on that information it could have been destroyed.

As for the Broccoli case, that's only one in a myriad of cases where decisions made to apply a "time or volume based retention" decision without consideration of content and existing retention polices has bit an organization. Merrill Lynch (et al), Zubulake vs UBS Warburg, DOJ vs Microsoft, Linnen vs AHRobbins, and many others are prime examples of ignorance not being an excuse.

If the e-mails had been properly categorized and retention periods set at the time of receipt or creation, none of this would have been an issue. If the litigation hold was required, it could have easily been applied against the repository of categorized records.

Even if the practice of "role and rule based" categorization had been used (as discussed in another blog thread), much of this could be done in an automated manner, avoiding the requirement of item by item decision-making.

I disagree that 'very generous...retention of electronic records' is a prudent course of action for an organization. If you do research into the requirements for records management, decisions are to be made regardless of media, form, or format. To make decisions based on the medium in which the records exist only results in an inconsistent application of retention policies, which results in the entire practice being called into question in the event of a legal action.

As fuel for the conversation, I point to the Norwalk Community College case I have discussed previously. The court punished Norwalk for failing to retain e-mail related to a sexual harassment allegation. The court said Norwalk should have implemented a "litigation hold" when police investigated the allegation (well before a lawsuit was filed). But it is very difficult for a enterprise like a community college to figure out – at the time in question -- that it needs to implement a sophisticated beast called a litigation hold. I therefore hypothesize that the best reaction to modern cases is to be much more generous in the retention of e-messages. -Ben

I would just like to second what Larry Medina has posted above. The problem with Enron/Arthur Anderson was the desire and intention of key individuals to destroy evidence that they knew was relevant to an open legal matter. In this particular case there was an existing document that described a records management policy but this policy was not followed and the lack of enforcement was common knowledge. Key managers tried to use this document as a cover to violate their duty to preserve evidence.

In other cases firms have lacked the infrastructure to implement, monitor and track compliance with legal holds. Rather than lengthening retention periods firms need to look at ways in which they can strengthen their regime for compliance with ESI preservation. Tools that allow preservation in place as well as legal hold software need to be seriously considered.

Finally, I would suggest that speculation about future litigation is not a reasonable way of establishing retention requirements. In such cases speculation about future litigation is different than being receipt of notice of anticipated litigation. In the latter case a party has a reason to anticipate litigation.

For example -- it is possible that Mr. Wright may at some point in the future be a defendant in a malpractice case. Does that mean that he needs to preserve every thing indefinitely just in case such a suit is brought. I do not think that this is what the law requires. At least I hope not.

"The court said Norwalk should have implemented a 'litigation hold'when police investigated the allegation (well before a lawsuit was filed). But it is very difficult for a enterprise like a community college to figure out – at the time in question -- that it needs to implement a sophisticated beast called a litigation hold."

Actually, it should not have been difficult to implement the litigation hold in the Norwalk case. The sexual harrassment allegations were ongoing - the case was still open. Whether or not a lawsuit had been filed, the allegations had not yet been fully examined and/or dismissed. As the teacher in question was employed by the college at the time in question, the college still was responsible for retaining the records in question. Organizations should apply litigations holds where there is litigation or the possibility of litigation - which is not a stretch of the imagination in the slightest when there had not yet been even a ruling on the allegations in question. In this case, there was clear error on the part of the college for wiping the teacher's hard drive, and the college should have known better.

None of this has anything to do with the retention period of the records. The college improperly destroyed records it should have retained, because it should have known it needed them. But proper application of retention periods should remain separate from application of litigation holds. If an organization applies both correctly, then it is in far betteer shape than if it just lengthens retention periods across the board to account for not applying any litigation holds.

Thanks to David and Rebecca for their good comments. Over time, I hope to explore all these comments in more depth.

Meanwhile, here's another in the cavalcade of cases punishing organizations for stingy e-mail retention: Disability Rights Council of Greater Wash. v. Washington Metro. Area Transit. The case shows it's easy to direct employees to evaluate e-mails one-by-one and then save certain of them in the "litigation hold" category. But the danger is that employees often don't follow such directions competently. --Ben

Until an absolute rule is put into place, there is no answer to the e-mail retention riddle. Courts will use non-compliance by company employees as rationale to support a decision that the court wants to make - regardless of how robust the company retention policy actually is. The best practice is to have a blanket rule - period - and stick to the rule. If a company has a steadfast policy that all e-mail records will be deleted within four months and no digital archive is kept past that period, a Court cannot say that the company was not properly complying with its e-discovery request so long as the company produces the four months of email records.

To date, the cases that have been addressed by the courts are those where there was reason to believe that the email records in question would be needed in anticipation of future litigation and the company did not comply or outright ignored its obligation to maintain those emails. For example, in the Norwalk case, the school was on notice of the claim and therefore should have recognized from that point forward that everything relating to the claim should be kept – in addition to those emails already residing on the system. Similarly, the Washington Metro case involved instructions to executive staff members asking them to identify and preserve those emails that may be necessary to respond to a litigation matter. However, because of the sheer volume of daily emails received by many executives, this is asking a great deal. The obvious issue was captured many years ago in one of the first mantras of the computer age:

To err is human.

Unfortunately, company IT departments cannot hand hold every employee to ensure that s/he is complying with the storage and deletion policies. Additionally, in a digital world, asking executives to make a snap judgment as to whether an email is a “record” or “non-record” is burdensome. Executives forced to comply with such a policy will simply move everything to the “record” container.

The additional issue involves the concept of a “litigation hold.” Under the Federal Rules of Evidence, information is relevant to a matter if it has “any tendency to make the existence of any fact that is of consequence to the determination of the action more probable or less probable than it would be without the evidence.” Usually discovery and particular e-discovery is authorized even if the discovery would otherwise be inadmissible if it could lead to relevant information in the case. So, if a company policy requires its employees to make these snap judgments as to the relevancy of their email, the company has effectively asked the employees to stand in the shoes of a judge and make a VERY subjective decision - which is a mistake. Therefore, the conservative approach would be to save everything.

However, saving everything can also be an issue. In large national and multi-national companies, there is a constant threat of litigation or anticipated litigation. A “hold everything” policy in such a company would be as effective as having no retention policy whatsoever. So we are back to asking the employees to identify those emails that are relevant for purposes of the litigation which, as recognized in the Washington Metro case, is not reliable.

Ultimately an absolute rule must be established to provide guidance to companies regarding electronic discovery. Once the bright line is drawn in the sand, the issue will be removed from the subjectivity of the legal process. Besides, statutes such as Sarbanes Oxley and a number of other statutes have their own retention rules, for which most companies already have certain compliance and retention measures in place. Lastly, any company engaged in extensive business deals that does not otherwise archive those transactions is practicing bad business and likely deserves any penalty it might incur as a result of those practices.

However, until such time as an absolute rule is established, I follow the long line of bloggers and other learned professionals that say, make a rule and stick to it. By establishing a reasonable company retention policy and recognizing the need for a legal hold where applicable a company will be in the best position to defend itself in any litigation.

My thanks to J Raftery and others for their good comments above. In reply to the comments, I wish to contribute more support for my argument that wise firms will tilt toward keeping more ample records. Please see my new post on how Congress changed obstruction of justice law in the wake of the Arthur Andersen case. --Ben

I think the inquiry should not so much be about how long to keep emails, but first whether the subject of the email is a scheduled business records subject to the retention schedule established by the organization, like the acceptance of a contract or whether it is an un-scheduled communication not subject to any retention schedule like an invitation to a birthday party in the cafeteria. The mere fact that the information was communicated by email is like assigning a retention schedule based upon the type of envelope a paper letter or contract was wrapped in before being sent.

To answer this question, organizations should also look to how they handle emails. Some companies require emails that rise to the status of a scheduled business record be copied into a Share Point portal or the like and other allow them to be kept in Exchange or Notes. If they are in the first category it may be appropriate to deem any emails not ported into a document management system as being unscheduled and hence delete them after 90 days. If an organization handles the retention of scheduled emails in the email server, then they might have to develop a more complex retention scheme for ESI stored in that repository. Therefore, I think it would be wrong to take a one size fits all solution to this issue - especially as emails are increasingly becoming the official business record of key transactions - either by design or inattention on the part of record managers.

Further to the good conversation in this thread, I have a new post arguing that records management should break from the past and treat e-mail differently from the way it historically treated paper. --Ben

IT Administrators

Twitter

Wright's Google Profile

Custom Professional Training

Local ARMA Quote

"The presentation by Mr. Wright, sponsored by Messaging Architects, was engaging and provocative. He delivered insights that challenged some of our views on retaining e-mail, and definitely shattered others." - Terry Mergele, CRM, Program Chair, San Antonio ARMA.

Blogger

Attorney Benjamin Wright is the author of technology law books, including The Law of Electronic Commerce (Aspen Publishers) and Business Law and Computer Security (SANS). A featured speaker at industry conferences and professional meetings, Wright teaches e-discovery, data security and cyber investigations law at the SANS Institute. Mr. Wright advises clients on digital law and forensic investigations. He is a pioneer in the promotion of public relations to address Internet legal issues and crises. His telephone is 1.214.403.6642. Wright's e-mail is ben_wright at compuserve dot com (put "BLOG" in subject line to distinguish yourself from spam). Mr. Wright graduated from Georgetown University Law Center 1984.

SANS Quote

"The best professional trainer in the country on these issues is Ben Wright." --Stephen H. Chapman, Principal and CEO, Security Advisers, LLC, and student in Mr. Wright's SANS legal training

Important!

No public statement by Mr. Wright (blog, comment, book, article, video, speech, tweet) is legal advice for any particular situation. If you need legal advice, you should consult your lawyer.

The purpose of this blog -- and the purpose of all of Mr. Wright's public statements -- are public education and discussion, and not the delivery of legal, technical or other professional advice. If you need advice or complete information, this blog is not the place to get it. Mr. Wright's public statements are offered as-is, with no warranty of accuracy or reliability. Mr. Wright sometimes revises his published ideas. If you use the ideas, you do so at your own risk.

Mr. Wright's public statements on blogs and the like are not intended to advertise or solicit legal services.

Mr. Wright's contributions to blogs, web courses and the like constitute part of the online update service for the book The Law of Electronic Commerce. Originally released 1991, and revised continually since then, the book is a reference for lawyers, published by Wolters Kluwer Law.

The only person responsible for Mr. Wright's words is Mr. Wright.

Mr. Wright has received money from some organizations he mentions online, such as Netmail/Messaging Architects, SANS Institute and LabMD.

Mr. Wright strives to comply with all applicable laws. He does not have and never has had intention to infringe the rights of anyone. If any person has any information, suspicion or belief that Mr. Wright has done anything illegal or unethical, he asks that person promptly to notify him at 1.214.403.6642, Dallas, TX. Also, please state publicly on Mr. Wright's blogs or pages that he is wrong. Promptness helps mitigate damage.

Any person accessing this blog agrees not to use data from it (or from any other public activity or statement by Mr. Wright) in a way that is adverse to Mr. Wright's interests.

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly so agree. Interaction with Mr. Wright through public media does not create an attorney-client relationship. Exchanging private messages with Mr. Wright does not, by itself, form an attorney-client relationship.

Privacy/Security Vision: Some people provide Mr. Wright private information. Mr. Wright strives to treat such information reasonably according to the circumstances. People should have no more than reasonable expectations about information security. It is unreasonable to expect that the offices, computers, cell phones, brief cases, filing cabinets and online or other services used by Mr. Wright are very secure.

E-mail Mr. Wright

Mr. Wright does not have an attorney-client relationship with any person unless and until he and that person explicitly, formally agree that the relationship is being formed. He does not give advice to non-clients.